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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

Applicant : Brian Jacoby et al. Art Unit ; 2143 

Serial No. : 09/894,918 Examiner : Alina Boutah 

Filed : June 29, 2001 Conf. No. : 5947 

Title : DEEP PACKET SCAN HACKER IDENTIFICATION 

MAIL STOP AF 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

PRE-APPEAL BRIEF REQUEST FOR REVIEW 

Pursuant to United States Patent and Trademark Office OG Notices: 12 July 2005 - New 
Prc-Appeal Brief Conference Pilot Program, a request for a review of identified matters on 
appeal is hereby submitted with the Notice of Appeal. Review of these identified matters by a 
panel of Examiners is requested because the rejections of record are clearly not proper and are 
without basis, in view of a clear legal or factual deficiency in the rejections. All rights to address 
additional matters on appeal in any subsequent appeal brief are hereby reserved. 

Claims 1,3-7, 11-12, 16-17, 19-20, 22-26, 28,30-31,38-39,41-45,47, 49-50, 54-55, 57- 
62, 64 and 68-70 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Cox (U.S. 
6,738,814) in view of Eichstaedt et al. (U.S. 6,662,230) and in further view of Maher, III et al. 
(U. S. 6,654,373), in further view of Alcendor (U. S. 6,337,899). 

Applicant respectfully traverses these rejections. 

Applicant does not concede that the previously submitted affidavits arc insufficient to 
show diligence during the critical period. However, Applicant does not raise that issue at this 
point. Rather, Applicant is focusing the questions addressed in the pre-appeal request for review 
to those issues believed to be most suitable for a pre-appeal request for review. Accordingly, 
Applicant asks the panel to review the following two issues: 

1 . Cox, Eichstaedt, Maher and Alcendor, either alone or combined as proposed, fail 
to disclose or suggest "moni toring, at the network d evice, at least the pavload portion of the data 
packets directed from at least one of the access providers to at least one of the access requestors 
by scanning the pavload portion for at least one predetermined pattern and counting a number of 
data packets having pavload portions that include the predetermined pattern; and using the 
network device to deny subsequent data packets from the access req uestor to the access provi der 
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when a number of payload portions of the data packets received from the access provider to the 
access requestor is deemed to include the predetermined pattern exceed a configurable threshold 
number", as recited in claim 1, and similarly recited in claims 20, and 39. 

2. The Examiner's reasoning based on improper hindsight reconstruction is 
improper. 

Discussion of Issues: 

1 . Cox, Eichstaedt, Maher and Alcendor. either alone or combined as proposed, fail to 

disclose or sugge st "monit oring , at th e network device, at least the paylo ad portion of 
the data packets directed from at least one of the access providers to at least one of the 
access requestors by scanning the payload portion for at least one predetermined 
pattern and counting a number of data packets having payload portions that include the 
predetermined pattern; and using the network device to deny subsequent data p ackets 
from the access requestor to the access provider when a number of payload portions of 
the data packets re ceived from the access provider to the access r equestor is deemed to 
include the predetermined pattern exceed a configurable threshold number", as recited 
in claim 1 and similarly recited in claims 20, and 39 . 

In independent claim 1 , Applicant claims a method that includes, inter alia, monitoring, 
at the network device, at least the payload portion of the data packets directed from at least one 
of the access providers to at least one of the access requestors by scanning the payload portion 
for at least one predetermined pattern and counting a number of data packets having payload 
portions that include the predetermined pattern; and using the network device to deny subsequent 
data packets from the access requestor to the access provider when a number of payload portions 
of the data packets received from the access provider to the access requestor is deemed to include 
the predetermined pattern exceed a configurable threshold number. 

Applicant respectfully requests reconsideration and withdrawal of the rejection because 
not any one of the four references, Cox, Eichstaedt, Maher and Alcendor, nor any possible 
combination of these references, discloses or suggests the feature of denying subsequent data 
packets from access requestors based on the results of monitoring the payload portion of the data 
packets directed from access providers , as claimed. 
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On the record, Applicant has illustrated that all four references fail to teach the feature 
above. However, the advisory action provides no new arguments in response to Applicant's 
illustration and merely relies on the "combination as cited in the previous rejection". 

Applicant further illustrates an aspect of this feature recited by claim 1 using FIG. 1 . 

below: 

Step 1 : The Network Device monitors Y x i, a data packet from the Access Provider Y to 
Access Requester X to determine whether it has a predetermined pattern. 

Step 2: The Network Device denies X2, a data packet from the same Access Requester X 
if the number of data packets Y x i from Access Provider Y to Access Requester X 
having the predetermined pattern exceeds a threshold. 



Access 
Requester X 



Network 
Device 



Access 
Provider Y 



Y-jH 



FIG. 1 Claimed method 
Cox fails to teach step 1 of FIG. 1 above. In fact, Cox never monitors data packets from 
Access Provider Y. In contrast. Cox monitors solely data packets from the Access Requestor X. 
More specifically, as shown in FIG. 2 below, Cox denial of service decision is based solely on 
data packets from the incoming packets X I, X2 from the Access Requestor X. 
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FIG. 2 Cox's method 
The Office Action of 08/09/06 also acknowledges that Cox fails to suggest the features 
cited above. "Cox also fails to explicitly teach monitoring the payload portion of the data 
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packets directed from at least one of the access providers to at least one of the access 
requestors. .." See., e.g. page 5 of the Office Action of 08/09/06. 

The Office Action of 08/9/06 similarly fails to rely on either of Eichstaedt or Maher for 
this feature, instead relying exclusively on Alcendor for the teaching of this feature. However, 
Alcendor also fails to teach this feature. Yet the Office Action and Advisory Action fail to make 
a prima facie case of obviousness capable of withstanding scrutiny, as each fails to set forth 
motivation for a combination of Alcendor and Cox. 
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FIG. 3 Alcendor's method 

More specifically, Alcendor merely describes a method of authenticating users in 
telephony response systems, where users are temporarily inconvenienced to reselect the desired 
service after a number of failed login attempts, see, e.g., paragraph 2-3 of column 7 and Fig. 4 of 
Alcendor, also shown in FIG . 3 above, Alcendor only monitors the number of failed login 
attempts of a user; Alcendor does not monitor data packets from the access providers. 

Additionally, in the response to the non-final Office action of 02/03/06, Applicant further 
clarified the distinction from Alcendor by pointing out that Alcendor lacks the use of an 
intermediary network device, as required by claim 1 . By way of example. Alcendor does not 
disclose anything that relates to data packets, much less on monitoring the data packets directed 
from the access providers. Such additional distinction further demonstrates that Alcendor's 
system has a different structure and solves a different problem. This deficiency alone makes 
Alcendor unable to cure Cox's deficiency. 

Therefore, the proposed combination of Alcendor, Cox, Eichstaedt and Maher is deficient 
for failure of any of these references to teach or suggest the feature of denying subsequent data 
packets from access requestors based on the results of monitoring the payload portion of the data 
packets directed from access providers, as claimed in independent claim 1, and similarly 
independent claims 20 and 30. 
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2. The Examiner's reasoning based on improper hindsight reconstruction is improper. 

The Examiner points out that reconstruction is proper so long as it takes into account only 
knowledge which was within the level of ordinary skill at the time the claimed invention was 
made. Applicant does not dispute this point. However, Applicant nevertheless finds the 
reconstruction used by the Examiner to be improper, or at least without a proper basis. 

The cited rules of law itself clearly specify the need for reconstruction to take account of 
only knowledge which was within the level of one of ordinary skill at the time of the invention. 
To establish a prima facie case of obviousness, the Examiner must therefore demonstrate that the 
level of knowledge available to those of ordinary skill at the time of the invention supports his 
hindsight reconstruction. The Examiner has not done so. 

As indicated above, none of the art of record suggest the feature of denying subsequent 
data packets from access requestors based on the results of monitoring the payload portion of the 
data packets directed from access providers, and the Examiner has not demonstrated that those of 
ordinary skill at the time of the invention would have had knowledge of this very feature. 

In view of the above, all of the claims should be in condition for allowance A formal 
notice of allowance is thus respectfully requested. 

Please apply any charges or credits to Deposit Account No. 06-1050. 



Respectfully submitted/ 
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